The Right to Keep and Bear Cyber Arms: The 2nd Amendment and CyberWar

There have been several articles floating around about “Cyber Militias”, and though I will probably regret it, I think it is time to talk about cyber weapons and the second amendment.

I’ve seen some interesting video lately, where two armed thugs enter a business and threaten everyone inside. An armed civilian defends himself and everyone inside by drawing his weapon and chasing the perps out of the business with some well aimed shots. But what if your business, that you worked very hard to build with blood, sweat and toil, is targeted by cyber criminals, what can you do?

Well, right now, all you can legally do is contact the authorities. Even if you knew how, you can not take matters into your own hands and counter-hack the attackers. With all the media hype over Stuxnet, cyber war and cyber weapons – should US citizens be legally allowed to own and use these deadly weapons in accordance with their 2nd Amendment rights?

Okay, I am poking fun with the “deadly” thing, as so far no one has been officially killed by a “cyber weapon”. But Joel Harding has some very interesting points in his latest post on cyber militias. If Switzerland stays true to course, and hands out government made cyber code to home guard soldiers, shouldn’t American civilians have access to such weapons also?

Honestly, as the amendment is written and as code is being quantified as a weapon, why shouldn’t Americans be allowed to actively defend themselves against online electronic risks as well as physical threats?

Of course, I can foresee that a single user Denial-of-Service weapon would probably be given out without much ado, but there will probably be a ban on large capacity distributed DoS weapons. And of course their will be a 10 day waiting period on Stuxnet based threats.

Wouldn’t want someone blowing up a couple nuclear power processing plants in Iran just because they had a bad day at the office…

Alright, alright… All kidding aside, should the 2nd amendment apply to cyber weapons – what do you think?

Advertisements

Windows 8 Forensics: Internet History Cache

Internet history on Windows 8, particularly with Microsoft Internet Explorer v10, has taken a turn from its traditions that we are all used to.  Gone are the days of index.dat.  That’s somewhat of a scary statement to say, even for someone like myself who has only been around for a couple years now.

Fortunately, I spend much of my time doing research and development, always trying to figure out things that can help the world of forensics.  With the help of Jimmy Weg, I’ve been able to add on to my previous research into WebCacheV24.dat and came across quite a few things.

 Just a few directories down from the old <user>\appdata\local\microsoft\windows\history directory is a directory that may be a new good friend, WebCache.

Within this folder is a file named WebCacheV24.dat.  Before learning of Mark Woan’s EseDbViewer, I parsed these files manually by their hex values.  It was great fun, and I figured out a lot of information.  Most of my initial research on this can be found on the LCDI blog, if at all interested.

However, I wanted to now take it to the next level with EseDbViewer and verify my results against what I had previously found.  First step is obvious, open up WebCacheV24.dat into the program.  On the left side of the window is a Table Name pane:

Important information for navigating throughout the tables is found in the Containers table.  All containers are listed numerically and display the path of the directory that is being extracted for that specific table.  The name of the type of data that is being extracted is shown as well.  For example, in the follow picture, container 10 and 14 both are being extracted from c:\users\forensicator\appdata\local\microsoft\windows\history\history.ie5\mshist[daterange].

With an image that has much more information, there could be upwards to 50 or more containers.  With that in mind, it’s quite obvious why the Containers table is very important to parse through before looking into each and every container.  For my purposes, I will examine containers 2, 6, 10 and 14.

Before going into the parsing, the following is my documentation table that I created while visiting websites:

Website/URL
Time/Date of Visit
Opened IE – default page Bing.com
16:28  –  7/18/2012
NBA.com
16:28
Facebook.com
16:28
Hackintosh.com
16:29
Bing search: Asrock
16:30
Asrock.com
16:30
Z77 Extreme6 Specs
16:31
Google.com
16:32
Google search: asrock z77 extreme6 mac compatibility
16:32
Google search: best mac compatible motherboards 2012
16:33
Macbreaker.com
16:34
Google search: best mac compatible motherboards 2012
16:42
Macbreaker.com
16:42
Tonymacx86.com
16:43
Nba.com
17:00
Twitter.com
17:01
Opened IE – default page Bing.com
09:08  –  7/19/2012
Nba.com
09:08
Tonymacx86.com
09:15
Newegg.com
09:21
Tonymacx86.com
09:23

As one last note, please keep in mind that the containers I am looking at here (2,6,10,14) may change from case to case.  This is why parsing the Containers table first is extremely important.

But, without further ado, here goes:

Container 2

Container 2 contains information that looks very similar to the information that I parsed manually in the WebCacheV24.dat file, at least in terms of its syntax.  Oddly though, it’s located within users\forensicator\appdata\local\microsoft\windows\history\history.ie5, which is the location of where the all-containing index.dat file used to be located.  Instead, now, there is a container.dat file in this folder that (in EnCase) appears empty.  Apparently not so empty after all.

The first thing that pops out in this container is Bing searches that I performed.  Pretty easy find, just takes a little scrolling.

The next thing to do is to check the time stamps for these and verify them.  Thanks to Jimmy Weg for pointing out that the numbers here are decimal and need converted to hexadecimal, and then run through D-Code or a similar tool.  The time values displayed by EseDbViewer are shown in the following image:

For the following times, I am using the values in the fifth row down, “Visited: Forensicator@http://hackintosh.com/”

Time Entry
Decimal
Hexadecimal
Actual Time
Accessed Time
129871833391583038
1CD65BE8FA24F3E
Thu, 19 July 2012 09:55:39 -0500
Modified Time
129871169652117654
1CD652405ADD096
Wed, 18 July 2012 15:29:25 -0500
Sync Time
129871833391583038
1CD65BE8FA24F3E
Thu, 19 July 2012 09:55:39 -0500
Expiry Time
129893633652122884
1CD7992546B6504
Mon, 13 August 2012 15:29:25 -0500

When parsing through this container and the table, it is very common to find the same value in many places for both Accessed Time and Sync Time.  There are also many instances where the Expiry Time is listed as 0.  Strangely, though, the accessed/sync times are one hour behind what they should actually be, in reference to the logs from earlier.

Another value from these tables that appeared off is Modified Time.  I created this virtual machine for this testing at 16:00 on July 18th, 2012, and logged my first time opening the browser at 16:28.  Despite this, the time for this entry is thirty (30) minutes before the creation of the system even.

Container 6

Despite being listed as a container that should hold history, this container seems to contain mostly cookies when initially looking at it.  Typically on a Windows Vista or Windows 7 machine, when an index.dat file is found in …\windows\history\low\history.ie5, it is because UAC is turned on and the system is in Protected Mode.  Using default settings will cause these folders to be used for all cache, cookies, and history for the internet security zone and restricted security zone.

With that being said, this particular container still contained information mainly relating to cookies, as shown below:

 

Container 10

Container 10 holds url history that is more common from what we’ve seen before.  It is broken down though by date and week periods, similar to how MSHIST files work.  Container 10, in this instance, held the web browsing history for the date range of 07-18-2012 to 07-19-2012.

The information in the following table pertains to the time values for the top row, 2012071820120719: Forensicator@ Host: http://www.bing.com:

Time Entry
Decimal
Hexadecimal
Actual Time
Accessed Time
129871168894599004
1CD6523D886FF5C
Wed, 18 Jul 2012 15:28:09 -0500 UTC
Modified Time
129870916894440000
1CD64E92C25BA40
Wed, 18 Jul 2012 8:28:09 -0500 UTC
Sync Time
129871168894599004
1CD6523D886FF5C
Wed, 18 Jul 2012 15:28:09 -0500 UTC
Expiry Time
0
0
N/A

Once again, the confusing thing about this is the time that is being tracked.  It references the accessed, modified, and sync time to a time all before the system was ever booted, and accessed/sync time are again one hour behind the time they should be.

Container 14

Container 14 holds the same content as container 10 with the exception that it is just for a different day.  This is the same notion as what a user would get from MSHist index.dat files that are separated by dates.  Once again, all date timestamps are still an hour off with this table.

Test Round 2

So, because my time stamps were consistently one hour off the first time did this, I decided to test again and again.  The following table and screenshots all come from my third round of testing, and yield the same results (timestamps being one hour off) as the first two tests.

Time settings for the Windows 8 virtual machine:

 

The following table is my documented browsing information for this test.

Website/URL
Time/Date of Visit
Opened IE – default page Bing.com
10:26  –  7/23/2012
Newegg.com
10:29
Facebook.com
10:37
Opened new IE – default page Bing.com
10:50
Woot.com
10:51
Computerforensics.champlain.edu
10:56
Nba.com
10:56
Google.com
10:59
Google Search: computer and digital forensics research topics
10:59
Forensicfocus.com
11:00

Due to there only being one day of brief internet browsing on this machine, the Containers table only lists one container directly linking to an MSHist directory.

The container directly linked to MSHist, in this instance, was once again container 10.  The following image shows this table, sorted by Access Time in descending order.  As shown, it follows the same order that I documented.

For this time testing, we will use the third timestamp down, in reference to 2012072320120724: ethanf@http://www.newegg.com/.

Time Entry
Decimal
Hexadecimal
Actual Time
Accessed Time
129875273668344960
1CD68DF901BBC80
Mon, 23 July 2012 09:29:26 -0500
Modified Time
129875129668340000
1CD68BE090A0920
Mon, 23 July 2012 05:29:26 -0500
Sync Time
129875273668344960
1CD68DF901BBC80
Mon, 23 July 2012 09:29:26 -0500
Expiry Time
129897737668350190
1CD7D4DDED950EE
Sat, 18 August 2012 09:29:26 -0500

Once again, the timestamps from this are one hour behind what I documented.

Conclusions

It’s great to have a lot of progress on the WebCachev24.dat files, personally.  I had been trying to parse them at the hex level for a VERY long time.  What a relief.  The frustrating part, now, is determining why it is giving me time stamps from before the machine was even created, and why the accessed time timestamps are all one hour off.  I made sure that the virtual machine was set to -0500 UTC, my machine was set to -0500 UTC, and DCode set to -0500 UTC.  Even still, all my times are still coming up one hour before the time I actually accessed the websites.

One more kink in my never ending road of turmoil with MSIEv10 history files.  The other item that I haven’t been able to check with this system yet is the NoQuota.edb file within <user>\appdata\local\microsoft\internet explorer\Indexed DB.  MSDN refers to Indexed DB as “… a W3C Working Draft that enables you to store, search, and retrieve data on the user’s device, even when Internet connectivity is disabled.  IndexedDB is a feature of the Web platform shared by IE10 and Metro style apps in the Windows 8 Consumer Preview.”

A user also has the ability to set a quota on the amount of data that is stored on the device itself.  These quotas, however, do not apply to metro apps, nor did I set any quotas on this machine itself.  Therefore, being able to parse this database should give me more information relevant to internet history.  As I stated in my previous blog post though, I have been unable to run esentutl to fix the database and actually parse it.

Windows 8: File Forensics Part 1 – Recycle Bin

Windows 8: File Forensics Part 2 – USB Drive Activity

About the Author:

Ethan Fleisher is a Senior majoring in Computer and Digital Forensics at Champlain College. Originally from Carlisle, Pennsylvania, Ethan currently works as a Forensic Intern and System Administrator at the Senator Patrick Leahy Center for Digital Investigation where he is involved in real life investigation forensic analysis, network and system administration, and forensic research. Ethan has spent close to the last year researching the Microsoft Windows 8 OS with focus on revealing new artifacts and attempting to confirm previous methodologies.

(Guest post provided by Ethan Fleisher. Original article can be found at the author’s blog dig4n6.blogspot.com.)

Software Developer’s Journal “R” Language Issue

Our friends over at Software Developer’s Journal have just released an entire issue devoted to “R” language.

“R is an open source object oriented programming language that supports statistical computing and high quality graphics. Its roots are in the S language, developed by John Chambers while at Bell Labs and may be considered as an accent of the S language. R was originated by Ross Ihaka and Robert Gentleman of the University of Auckland in New Zealand.”

I know there are a lot of technical professionals that are avid followers of CyberArms, so I thought this might be of interest.

Check out these topics:

R Statistical & Graphical Language – David Guy
Graphics in R – Norman Matloff
Writing fast R Code – Norman Matloff
Parallel R – Norman Matloff
Multi Agent System with R – André Dias
R Data Manipulation – Luciano Selzer
R Graphics: Visualizing Time Series – Joshua Wiley
Regression (Linear Modeling) – Mark Gardener
Crunchbase analysis using MongoDB and R – Anastasiia Kornilova
The Basics of Programming and Statictical Analysis in R – Christopher Steven Marcum
R programming Language – Jennifer Urbano Blackford
R Language Definition – Richard A. Becker
Programming in R – Thomas Girke
Rpython, a package for calling Python from R – Carlos J. Gill Bellosta
Getting Started with R – R. Kent Dybvig
Going Further – R. Kent Dybvig
Records – R. Kent Dybvig
For and the use of vectors in R – Hans Ekbrand
Splitting a dendrogram in non-linear fashion using R – Jaynal Abedin
Using the R language to calculate cause of death co-occurrence – Jim Lemon
Using R in combination with Adobe Illustrator CS6 for professional graphics output – Christoph Scherber
Object, Class and Method in R – Kishor Kumar Dias
Detecting Structural Changes in Time Series Data Using R – Bharat Upadrasta, Prabakar Rajasekaran, Zubin Dowlaty
High Performance Scoring System Using R – Ganesh Moorthy, Nandakishor Koka and Zubin Dowlaty
Tips on Computing With Big Data in R – Lee Edlefsen and Susan Ranney

Check it out!

Free Issue of Exploit Magazine Released!

Check out the new Exploit Magazine! The first issue of the Exploit Magazine has just been published. It is totally devoted to Metasploit Framework.

  • Metasploit Framework – Demystified: Introduction to Metasploit Framework
  • Metasploit Exploitation Samples

You can download the magazine for free after registering as a free user. I hope that you will enjoy the content. Register now and enjoy future free issues of the Exploit Magazine:

http://theexploitmag.com/category/magazine

Exploit Magazine is looking for authors!

Are you a computer security expert or researcher that knows a thing or two about exploits and exploit defense? Share you knowledge with the community!

Contact me at cyberarms(at)live.com for more information.